TorrentLocker Unlocked … For Now

There has been a lot of publicity on Ransomware campaigns compromising various targets (I posted on CryptoLocker HERE and Ransomware spreading in the wild HERE). For those that don’t know what Ransomware is, its malware that encrypts your data and holds it ransom for a fee to unlock it. The cost to get your data back can be anything from hundreds to thousands of dollars. Plus you don’t know what else is being done once you get your data back aka other forms of breaches happening on your system as well as what they do with the stolen data. I have had customers have their entire datacenter compromised and unfortunately had to pay the fees.

There has been some recent good news regarding TorrentLocker being unlocked. In summary, there is a way to identify the key based on a mistake in how the encryption was done by the TorrentLocker programs. A detailed explanation is found below. This comes from the research from Taneli Kaivola, Patrick Nisen and Antti Nuopponen of Nixu Oy.

“As the algorithm is a symmetric one, the same key is used both to encrypt and decrypt data. Because the malware program needs to have the key in the infected machine at some point of time to be able to encrypt the files, recovering the key from the infected machine could be possible, at least in theory.

Stream ciphers can be strong, but there are some fundamental issues that must be avoided in order to keep the encryption cryptographically secure. One of the most important things is not to use the keystream more than once.

In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author’s part, as you should never use the keystream more than once.”

Most likely there will be a updated version of TorrentLocker to hit the streets correcting this flaw however its worth doing the research on possible free fixes if you happen to get compromised by one of these ransomware attacks.

More sources on this can be found HERE via the SANS blog as well as well as the tripwire website via HERE.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.